How to make a custom SSL certificate miner

You are here:
Estimated reading time: 3 min

Why do we need an SSL certificate miner?

The WAF module can only listen on HTTP but it needs the SSL Terminating module to be able to listen on HTTPS as well. This module can do this only if it has the SSL certificates of the domains at its disposal.
BitNinja has such a cert miner by default however this module in some cases might be unable to detect the SSL certs. In which case you need to make a new cert miner.

Before you begin to write your own cert miner make sure all of the required ports are open/ allowed on the server and your firewall (if you have one). Opening the ports might solve the issue altogether.

Required ports

Also, make sure that your certs are not password protected.

Where are your certs are located?

In order to make a working cert miner, you need to know where is the cert of each domain is located.
We will need the private key and the cert file and the name of the domain.

The cert file locations are diverse, they differ by, web server by, operating system or by the control panel.
For example, the /etc/ssl/certs/ directory is the most common however on Direct Admin the cert are located at /usr/local/directadmin/data/users/<insert domain name here>/domains/.
On Amazon Linux servers the certs are located at /etc/pki/tls/

What does a cert miner do?

You need to combine the private keys and the cert file of each domain hosted on your server into a .pem file and name the .pem file after the domain. The pem file needs to be located at

You also need to create the /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst and include the full path for each .pem file created in the previous step. It’s also required to include the domain name itself and the domain name with www. and the *. in front of the domain in order to use the cert for the subdomains.
It might be easier to just show an example for this:
/opt/bitninja-ssl-termination/etc/haproxy/certs/example.pem example www.example *.example

Now we just have to implement a script that does just that.

After the certificate miner is complete we recommend running the script via a cron job every 20-30 minutes.
This is required to make sure the .pem files are always up to date and include the newly added certs too.



#create the cert-list.lst file
echo > /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst

#gather the domain names where we have the cert files 
# an example for one of the cert locations is /etc/letsencrypt/live/
for i in ` ls -F <location of every cert>/*/cert.pem | awk -F "/" {'print $5'}| sed 's/\.[.]*$//'` ;

#from now on $i will mean all the domains names

#combine the privatekey file and the cert file into the pem file pay attention to the files name
cat <location of every cert>/$i/privkey.pem <location of every cert>/$i/cert.pem > /opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem

#add the location of all the generated pemfiles to the file
echo "/opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem $i www.$i *.$i" >> /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst

#remove empty lines if you want :)
sed -i '/^$/d' /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
  1. Locate the cert and private key of each domain. And include the location in the script as shown above
    e.g.: nano
  2. Make the script executable by issuing this command
    e.g.:chmod +x
  3. Run the script.
    e.g.: ./
  4. Test if the correct files are created with the correct names and contents
  5. Add the script to the crontab. You can generate the cronjob easily with this online tool.

Set as default cert miner

You can use your own cert miner as the default certificate miner instead of the ConfigParser module.
If you follow the below guide, then your script will run automatically when the agent starts up, and when the SslTerminating module is reloaded.
This feature accepts:

  • BASH scripts only
  • Scripts owned by the ROOT user only
  • Scripts with an .sh extension only

Please see the video guide on the setting here and see the text guide below the video.

  1. Create your script (or move it) under the /etc/bitninja/SslTerminating/cert_miners/ directory.
    You can move the script with the mv command like this:
    mv /current/location/of/ /etc/bitninja/SslTerminating/cert_miners/
  2. Open the /etc/bitninja/SslTerminating/config.ini file with your preferred text editor.
    e.g.: nano /etc/bitninja/SslTerminating/config.ini
  3. Remove the semicolons from the ;useConfigParserModule=0 line. So it looks like this:
  4. Remove the semicolon from the ;allowCertListFileEdition=0 line and change the value to 1. So it looks like this:
  5. Exit the editor and save the changes.
    e.g.: in nano press ctrl +X then Y then enter
  6. Restart BitNinja with the service bitninja restart command.

Script (examples)

Each server is different, copying the script might not work in all cases.

In these scripts, we assume that the cert and private key files are located in the same directories with each domain.



echo > /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
for i in `ls /usr/local/directadmin/data/users/*/domains/* | grep ".key"  | awk -F "/" {'print $9'} | sed 's/\.^.]*$//'` ;


cat /usr/local/directadmin/data/users/*/domains/"$i".key /usr/local/directadmin/data/users/*/domains/"$i".cert > /opt/bitninja-ssl-termination/etc/haproxy/certs/"$i".pem
echo "/opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem $i www.$i *.$i" >> /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst


Let’s encrypt


echo > /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
for i in ` ls -F /etc/letsencrypt/live/*/cert.pem | awk -F "/" {'print $5'}| sed 's/\.[.]*$//'` ;

cat /etc/letsencrypt/live/$i/privkey.pem /etc/letsencrypt/live/$i/cert.pem > /opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem
echo "/opt/bitninja-ssl-termination/etc/haproxy/certs/$i.pem $i www.$i *.$i" >> /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst

#remove empty lines
sed -i '/^$/d' /opt/bitninja-ssl-termination/etc/haproxy/cert-list.lst
Please do not hesitate to contact us at or via live chat from the Dashboard if you need help with this or anything else.

Was this article helpful?
It was not helpful
Views: 924